deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

new build

Browse Source
This commit is contained in:
Brian Lich
2016-03-31 09:25:25 -07:00
parent c8224c60e7
commit edb7f5a067
233 changed files with 5429 additions and 4656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
windows/manage/TOC.md
View File

@ -1,7 +1,7 @@
# [Manage and update Windows 10](index.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md))
## [Manage corporate devices](manage-corporate-devices.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
@ -17,10 +17,9 @@
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Configure telemetry in your organization](configure-telemetry-in-your-organization.md)
### [Disconnect from Microsoft and configure privacy settings in your organization](disconnect-your-organization-from-microsoft.md)
### [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)
### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md))
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
@ -28,30 +27,31 @@
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [Configure devices without MDM](configure-devices-without-mdm.md)
## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)
## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-and-get-started.md)
#### [Prerequisites for Windows Store for Business](prerequisites-for-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-for-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-in-the-windows-store-for-business.md)
#### [Settings reference: Windows Store for Business](settings-reference--windows-store-for-business.md)
### [Find and acquire apps](find-and-acquire-apps.md)
#### [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
### [Find and acquire apps](find-and-acquire-apps-overview.md)
#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-from-the-windows-store-for-business.md)
### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
#### [Assign apps to employees](assign-apps-to-employees.md)
#### [Distribute apps with a management tool](distribute-apps-with-a-management-tool.md)
#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
#### [Distribute offline apps](distribute-offline-apps.md)
### [Manage apps](manage-apps.md)
### [Manage apps](manage-apps-windows-store-for-business-overview.md)
#### [Manage access to private store](manage-access-to-private-store.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-for-windows-store-for-business.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
#### [Manage private store settings](manage-private-store-settings.md)
#### [Configure MDM provider](configure-mdm-provider.md)
#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
### [Device Guard signing portal](device-guard-signing-portal.md)
#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
### [Manage settings in the Windows Store for Business](manage-settings-in-the-windows-store-for-business.md)
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings-.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-in-the-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot.md)
### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md))
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md))
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md))

2
windows/manage/add-unsigned-app-to-code-integrity-policy.md
View File

@ -84,7 +84,7 @@ After you're done, the files are saved to your desktop. You still need to sign t
## <a href="" id="catalog-signing-device-guard-portal"></a>Catalog signing with Device Guard signing portal
To sign catalog files with the Device Guard signing portal, you need to be signed up with the Windows Store for Business. For more information, see [Sign up for the Windows Store for Business](sign-up-for-windows-store-for-business.md).
To sign catalog files with the Device Guard signing portal, you need to be signed up with the Windows Store for Business. For more information, see [Sign up for the Windows Store for Business](sign-up-windows-store-for-business.md).
Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.

2
windows/manage/app-inventory-managemement-for-windows-store-for-business.md → windows/manage/app-inventory-managemement-windows-store-for-business.md
View File

@ -120,7 +120,7 @@ For online-licensed apps, there are a couple of ways to distribute apps from you
- Add apps to your private store, and let people in your organization install the app.
If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-a-management-tool.md).
If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
### Assign apps

189
windows/manage/application-development-for-windows-as-a-service.md Normal file
View File

@ -0,0 +1,189 @@
---
title: Application development for Windows as a service (Windows 10)
description: In todays environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years.
ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Application development for Windows as a service
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10 IoT Core (IoT Core)
In todays environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting.
Builds distributed as flights provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery and better public release quality than ever.
## Windows 10 release types and cadences
Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis:
**Feature updates** install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature updates contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. Microsoft expects to publish an average of one to two new feature updates per year.
**Quality updates** deliver security issue resolutions and other important bug fixes. Quality updates will be provided to improve each feature currently in support, on a cadence of one or more times per month. Microsoft will continue publishing quality updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional quality updates for Windows 10 outside the Update Tuesday process when required to address customer needs.
During Windows 10 development, Microsoft streamlined the Windows product engineering and release cycle so that we can deliver the features, experiences, and functionality customers want, more quickly than ever. We also created new ways to deliver and install feature updates and quality updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. Hence we have implemented new servicing options referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible.
The following table shows describes the various servicing branches and their key attributes.
| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions |
|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, Mobile, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) |
| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, Mobile Enterprise, IoT Core Pro |
| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB |
 
For more information, see [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md).
## Supporting apps in Windows as a service
The traditional approach for supporting apps has been to release a new app version in response to a Windows release. This assumes that there are breaking changes in the underlying OS that could potentially cause a regression with the application. This model involves a dedicated development and validation cycle that requires our ISV partners to align with the Windows release cadence.
In the Windows as a service model, Microsoft is making a commitment to maintaining the compatibility of the underlying OS. This means Microsoft will make a concerted effort to ensure that there are no breaking changes that impact the app ecosystem negatively. In this scenario, when there is a release of a Windows build, most apps (those with no kernel dependencies) will continue to work.
In view of this change, Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. Our mutual customers are better served by an application lifecycle approach. This means when an application version is released it will be supported for a certain period of time irrespective of however many Windows builds are released in the interim. The ISV makes a commitment to provide support for that specific version of the app as long as it is supported in the lifecycle. Microsoft follows a similar lifecycle approach for Windows that can be referenced [here](http://go.microsoft.com/fwlink/?LinkID=780549).
This approach will reduce the burden of maintaining an app schedule that aligns with Windows releases. ISV partners should be free to release features or updates at their own cadence. We feel that our partners can keep their customer base updated with the latest app updates independent of a Windows release. In addition, our customers do not have to seek an explicit support statement whenever a Windows build is released. Here is an example of a support statement that covers how an app may be supported across different versions of the OS:
| Example of an application lifecycle support statement |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Contoso is a software development company and is the owner of the popular Mojave app which has a major share in the enterprise space. Contoso releases its next major release Mojave 14.0 and declares mainstream support for a period of three years from the release date. During mainstream support all updates and support are complimentary for the licensed product. Contoso also declares an additional two years of extended support where customers can purchase updates and support for a grace period. Beyond the extended support end date this product version is no longer supported. During the period of mainstream support Contoso will support Mojave 14.0 on all released builds of Windows. Contoso will also release updates to Mojave as necessary and independent of the Windows product releases. |
 
In the following sections, you will find additional information about the steps Microsoft takes to maintain the compatibility of the underlying OS. You will also find guidance on steps you can take to help maintain the compatibility of the combined OS and app ecosystem. There is a section on how to leverage Windows flighting builds to detect app regressions before a Windows build is released. Lastly, we describe how we use an instrumentation and telemetry-driven approach to increase the quality of Windows builds. We recommend ISVs adopt a similar approach with their app portfolio.
## Key changes since Windows 7 to ensure app compatibility
We understand that compatibility matters to developers. ISVs and developers want to ensure their apps will run as expected on all supported versions of the Windows OS. Consumers and businesses have a key investment here—they want to ensure that the apps they have paid for will continue to work. We know that compatibility is the primary criteria for purchase decisions. Apps that are well written based on best practices will lead to much less code churn when a new Windows version is released and will reduce fragmentation—these apps have a reduced engineering investment to maintain, and a faster time to market.
In the Windows 7 timeframe, compatibility was very much a reactive approach. In Windows 8 we started looking at this differently, working within Windows to ensure that compatibility was by design rather than an afterthought. Windows 10 is the most compatible-by-design version of the OS to date. Here are some key ways we accomplished this:
- **App telemetry**: This helps us understand app popularity in the Windows ecosystem to inform compatibility testing.
- **ISV partnerships**: Work directly with external partners to provide them with data and help fix issues that our users experience.
- **Design reviews, upstream detection**: Partner with feature teams to reduce the number of breaking changes in Windows. Compatibility review is a gate that our feature teams must pass.
- **Communication**: Tighter control over API changes and improved communication.
- **Flighting and feedback loop**: Windows insiders receive flighted builds that help improve our ability to find compatibility issues before a final build is released to customers. This feedback process not only exposes bugs, but ensures we are shipping features our users want.
## Microsoft uses data to make Windows 10 better
Microsoft uses diagnostic and usage data to identify and troubleshoot problems, improve our products and services, and provide our users with personalized experiences. The usage data we collect also extends to the apps that PCs in the Windows ecosystem are running. Based on what our customers use, we build our list to test these apps, devices, and drivers against new versions of the Windows OS. Windows 10 has been the most compatible version of Windows to-date, with over 90% compatibility against thousands of popular apps. The Windows Compatibility team commonly reaches out to our ISV partners to provide feedback if issues are discovered, so that we can partner together on solutions. Ideally, wed like our common customers to be able to update Windows seamlessly and without losing functionality in either their OS or the apps they depend on for their productivity or entertainment.
The following sections contain some best practices Microsoft recommends so you can ensure your apps are compatible with Windows 10.
**Windows version check**
The OS version has been incremented with Windows 10. This means that the internal version number has been changed to 10.0. As in the past, we go to great lengths to maintain application and device compatibility after an OS version change. For most app categories (without any kernel dependencies) the change will not negatively impact app functionality, and existing apps will continue to work fine on Windows 10.
The manifestation of this change is app-specific. This means any app that specifically checks for the OS version will get a higher version number, which can lead to one or more of the following situations:
- App installers might not be able to install the app, and apps might not be able to start.
- Apps might become unstable or crash.
- Apps might generate error messages, but continue to function properly.
Some apps perform a version check and simply pass a warning to users. However, there are apps that are bound very tightly to a version check (in the drivers, or in kernel mode to avoid detection). In these cases, the app will fail if an incorrect version is found. Rather than a version check, we recommend one of the following approaches:
- If the app is dependent on specific API functionality, ensure you target the correct API version.
- Ensure you detect the change via APISet or another public API, and do not use the version as a proxy for some feature or fix. If there are breaking changes and a proper check is not exposed, then that is a bug.
- Ensure the app does NOT check for version in odd ways, such as via the registry, file versions, offsets, kernel mode, drivers, or other means. If the app absolutely needs to check the version, use the GetVersion APIs, which should return the major, minor, and build number.
- If you are using the [GetVersion](http://go.microsoft.com/fwlink/?LinkID=780555) API, remember that the behavior of this API has changed since Windows 8.1.
If you own apps such as antimalware or firewall apps, you should work through your usual feedback channels and via the Windows Insider program.
**Undocumented APIs**
Your apps should not call undocumented Windows APIs, or take dependency on specific Windows file exports or registry keys. This can lead to broken functionality, data loss, and potential security issues. If there is functionality your app requires that is not available, this is an opportunity to provide feedback through your usual feedback channels and via the Windows Insider program.
**Develop Universal Windows Platform (UWP) and Centennial apps**
We encourage all Win32 app ISVs to develop [Universal Windows Platform (UWP)](http://go.microsoft.com/fwlink/?LinkID=780560) and, specifically, [Centennial](http://go.microsoft.com/fwlink/?LinkID=780562) apps moving forward. There are great benefits to developing these app packages rather than using traditional Win32 installers. UWP apps are also supported in the [Windows Store](http://go.microsoft.com/fwlink/?LinkID=780563), so its easier for you to update your users to a consistent version automatically, lowering your support costs.
If your Win32 app types do not work with the Centennial model, we highly recommend that you use the right installer and ensure this is fully tested. An installer is your user or customers first experience with your app, so ensure that this works well. All too often, this doesnt work well or it hasnt been fully tested for all scenarios. The [Windows App Certification Kit](http://go.microsoft.com/fwlink/?LinkID=780565) can help you test the install and uninstall of your Win32 app and help you identify use of undocumented APIs, as well as other basic performance-related best-practice issues, before your users do.
**Best pratcices:**
- Use installers that work for both 32-bit and 64-bit versions of Windows.
- Design your installers to run on multiple scenarios (user or machine level).
- Keep all Windows redistributables in the original packaging if you repackage these, its possible that this will break the installer.
- Schedule development time for your installers—these are often overlooked as a deliverable during the software development lifecycle.
## Optimized test strategies and flighting
Windows OS flighting refers to the interim builds available to Windows Insiders before a final build is released to the general population. The more Insiders that flight these interim builds, the more feedback we receive on the build quality, compatibility, etc., and this helps improve quality of the final builds. You can participate in this flighting program to ensure that your apps work as expected on iterative builds of the OS. We also encourage you to provide feedback on how these flighted builds are working for you, issues you run into, and so on.
If your app is in the Store, you can flight your app via the Store, which means that your app will be available for our Windows Insider population to install. Users can install your app and you can receive preliminary feedback on your app before you release it to the general population. The follow sections outline the steps for testing your apps against Windows flighted builds.
**Step 1: Become a Windows Insider and participate in flighting**
As a [Windows Insider,](http://go.microsoft.com/fwlink/p/?LinkId=521639) you can help shape the future of Windows—your feedback will help us improve features and functionality in the platform. This is a vibrant community where you can connect with other enthusiasts, join forums, trade advice, and learn about upcoming Insider-only events.
Since youll have access to preview builds of Windows 10, Windows 10 Mobile, and the latest Windows SDK and Emulator, youll have all the tools at your disposal to develop great apps and explore what's new in the Universal Windows Platform and the Windows Store.
This is also a great opportunity to build great hardware, with preview builds of the hardware development kits so you can develop universal drivers for Windows. The IoT Core Insider Preview is also available on supported IoT development boards, so you can build amazing connected solutions using the Universal Windows Platform.
Before you become a Windows Insider, please note that participation is intended for users who:
- Want to try out software thats still in development.
- Want to share feedback about the software and the platform.
- Dont mind lots of updates or a UI design that might change significantly over time.
- Really know their way around a PC and feel comfortable troubleshooting problems, backing up data, formatting a hard drive, installing an operating system from scratch, or restoring an old one if necessary.
- Know what an ISO file is and how to use it.
- Aren't installing it on their everyday computer or device.
**Step 2: Test your scenarios**
Once you have updated to a flighted build, the following are some sample test cases to help you get started on testing and gathering feedback. For most of these tests, ensure you cover both x86 and AMD64 systems.
**Clean install test:** On a clean install of Windows 10, ensure your app is fully functional. If your app fails this test and the upgrade test, then its likely that the issue is caused by underlying OS changes or bugs in the app. If after investigation, the former is the case, be sure to use the Windows Insider program to provide feedback and partner on solutions.
**Upgrade Test:** Check that your app works after upgrading from a down-level version of Windows (i.e. Windows 7 or Windows 8.1) to Windows 10. Your app shouldnt cause roll backs during upgrade, and should continue to work as expected after upgrade—this is crucial to achieve a seamless upgrade experience.
**Reinstall Test:** Ensure that app functionality can be restored by reinstalling your app after you upgrade the PC to Windows 10 from a down-level OS. If your app didnt pass the upgrade test and you have not been able to narrow down the cause of these issues, its possible that a reinstall can restore lost functionality. A passing reinstall test indicates that parts of the app may not have been migrated to Windows 10.
**OS\\Device Features Test:** Ensure that your app works as expected if your app relies on specific functionality in the OS. Common areas for testing include the following, often against a selection of the commonly used PC models to ensure coverage:
- Audio
- USB device functionality (keyboard, mouse, memory stick, external hard disk, and so on)
- Bluetooth
- Graphics\\display (multi-monitor, projection, screen rotation, and so on)
- Touch screen (orientation, on-screen keyboard, pen, gestures, and so on)
- Touchpad (left\\right buttons, tap, scroll, and so on)
- Pen (single\\double tap, press, hold, eraser, and so on)
- Print\\Scan
- Sensors (accelerometer, fusion, and so on)
- Camera
**Step 3: Provide feedback**
Let us know how your app is performing against flighted builds. As you discover issues with your app during testing, please log bugs via the partner portal if you have access, or through your Microsoft representative. We encourage this information so that we can build a quality experience for our users together.
**Step 4: Register on Windows 10**
The [Ready for Windows 10](http://go.microsoft.com/fwlink/?LinkID=780580) website is a directory of software that supports Windows 10. Its intended for IT administrators at companies and organizations worldwide that are considering Windows 10 for their deployments. IT administrators can check the site to see whether software deployed in their enterprise is supported in Windows 10.
## Related topics
[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)
 
 

2
windows/manage/apps-in-the-windows-store-for-business.md → windows/manage/apps-in-windows-store-for-business.md
View File

@ -79,7 +79,7 @@ You have the following distribution options for offline-licensed apps:
- Distribute the app through a management tool.
For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-from-the-windows-store-for-business.md).
For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
 

22
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -29,21 +29,25 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
</thead>
<tbody>
<tr class="odd">
<td align="left">[Application development for Windows as a service](application-development-for-windows-as-a-service.md)</td>
<td align="left">New</td>
</tr>
<tr class="even">
<td align="left">[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)</td>
<td align="left"><p>New</p></td>
</tr>
<tr class="even">
<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)</td>
<tr class="odd">
<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md))</td>
<td align="left"><p>Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration.</p></td>
</tr>
<tr class="even">
<td align="left">[Configure telemetry in your organization](../manage/configure-telemetry-in-your-organization.md)</td>
<td align="left"><p>Updated to include Windows Server 2016 Technical Preview.</p></td>
</tr>
<tr class="odd">
<td align="left">[Disconnect from Microsoft and configure privacy settings in your organization](disconnect-your-organization-from-microsoft.md)</td>
<td align="left"><p>Removed the telemetry content into its own topic.</p></td>
</tr>
<tr class="even">
<td align="left">[Configure telemetry in your organization](configure-telemetry-in-your-organization.md)</td>
<td align="left"><p>Updated to include Windows Server 2016 Technical Preview.</p></td>
</tr>
</tbody>
</table>
@ -110,11 +114,11 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
</thead>
<tbody>
<tr class="odd">
<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)</td>
<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md))</td>
<td align="left">New</td>
</tr>
<tr class="even">
<td align="left">[Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)</td>
<td align="left">[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md))</td>
<td align="left">New</td>
</tr>
<tr class="odd">
@ -140,7 +144,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) | New |
| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | New |
| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | New |
| [Windows Hello biometrics in the enterprise](../keep-secure/windows-hello-biometrics-in-the-enterprise.md) | New |
| [Windows Hello biometrics in the enterprise](../keep-secure/windows-hello-in-enterprise.md)) | New |
| [Windows Store for Business](windows-store-for-business.md) (multiple topics) | New |
| [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) | Updated |
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Updated |

0
windows/manage/configure-mdm-provider.md → windows/manage/configure-mdm-provider-windows-store-for-business.md
View File

310
windows/manage/configure-telemetry-in-your-organization.md
View File

@ -1,310 +0,0 @@
---
title: Configure telemetry in your organization (Windows 10)
description: Use this article to make informed decisions about how you can configure telemetry in your organization.
ms.assetid: 68D9BEAD-8ACE-4771-AF10-CCCD65EC7D98
keywords: ["privacy", "telemetry"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Configure telemetry in your organization
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
**Note**  
This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server
 
It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
We understand that the privacy and security of our customers information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
## Overview
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using **Settings** &gt; **Privacy**, Group Policy, or MDM.
Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, gaining insights into driver reliability issues affecting other customers, and using usage data to tune some of their operations to reduce the total cost of ownership (TCO) and downtime.
For Windows 10, we invite IT pros to join the Windows Insider Program to give us feedback on what we can do to make Windows work better for youcr organization.
## How is telemetry data handled by Microsoft?
### Data collection
Data gathered by the Connected User Experience and Telemetry component complies with Microsofts [security and privacy policies](https://privacy.microsoft.com/privacystatement/), as well as international laws and regulations. The principle of least privilege guides access to telemetry data. Only Microsoft personnel who can demonstrate a valid business need can access the telemetry data.
### Data transfer
All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10,data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection,are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
### Data usage
Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that includes aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft only gathers the information we need, and it is only stored for as long as it is needed to provide a service or for analysis. Most of the data is deleted within 30 days.
## How is the data gathered?
Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) [tracelogging](http://msdn.microsoft.com/library/dn904632.aspx) technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
## Telemetry levels
This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
The telemetry data is categorized into four levels:
- **Security**. Information thats required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
### Security level
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates.
**Note**  
If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
 
The data gathered at this level includes:
- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsofts servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
**Note**  
You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
 
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
**Note**  
This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
 
For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computers registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
- Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
- Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
- Operating system attributes, such as Windows edition and virtualization state
- Storage attributes, such as number of drives, type, and size
- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
- **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver data**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
### Full level
The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
Additionally, at this level, devices opted in to the Windows Insider Program will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the Windows Insider Program are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsofts internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
However, before more data is gathered, Microsofts privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
### Manage your telemetry settings
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
**Important**  
These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
 
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
### Configure the operating system telemetry level
You can configure your operating system telemetry settings using the management tools youre already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings.
Use the appropriate value in the table below when you configure the management policy.
| Value | Level | Data gathered |
|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
| **0** | Security | Security data only. |
| **1** | Basic | Security data, and basic system and quality data. |
| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
 
### Use Group Policy to set the telemetry level
Use a Group Policy object to set your organizations telemetry level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the telemetry level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
### Use Registry Editor to set the telemetry level
Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Configure System Center 2016 telemetry
For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
- Turn off telemetry by using the System Center UI Console settings workspace.
- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
### Additional telemetry controls
There are a few more settings that you can turn off that may send telemetry information:
- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
- Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
**Note**  
Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
## Examples of how Microsoft uses the telemetry data
### Drive higher apps and driver quality in the ecosystem
Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsofts ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications
### Reduce your total cost of ownership and downtime
Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
### <a href="" id="build-features-that-address-our-customers--needs"></a>Build features that address our customers needs
Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
 
 

5
windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -90,11 +90,6 @@ Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/
17. Double-click the ppkg file and allow it to install.
**Warning**  
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
 
## Related topics

616
windows/manage/disconnect-your-organization-from-microsoft.md
View File

@ -1,134 +1,139 @@
---
title: Disconnect from Microsoft and configure privacy settings in your organization (Windows 10)
description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.If youre looking for content on what each telemetry level means and how to configure it in your organization, see Configure telemetry in your organization.
title: Configure telemetry and other settings in your organization (Windows 10)
description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
keywords: ["privacy"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Disconnect from Microsoft and configure privacy settings in your organization
# Configure telemetry and other settings in your organization
**Applies to**
- Windows 10
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
If youre looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md).
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
**Note**  Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows.
 
Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the [Security level](configure-telemetry-in-your-organization.md#security-level), turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
The settings in this article assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
Here's what's covered in this article:
- [1. Cortana](#cortana)
- [Info management settings](#bkmk-othersettings)
- [1.1 Cortana Group Policies](#cortana-group-policies)
- [1. Cortana](#bkmk-cortana)
- [1.2 Cortana MDM policies](#cortana-mdm-policies)
- [1.1 Cortana Group Policies](#bkmk-cortana-gp)
- [1.3 Cortana Windows Provisioning](#cortana-windows-provisioning)
- [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
- [2. Device metadata retrieval](#device-metadata-retrieval)
- [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
- [3. Insider Preview builds](#insider-preview-builds)
- [2. Date & Time](#bkmk-datetime)
- [4. Internet Explorer](#internet-explorer)
- [3. Device metadata retrieval](#bkmk-devinst)
- [4.1 Internet Explorer Group Policies](#internet-explorer-group-policies)
- [4. Insider Preview builds](#bkmk-previewbuilds)
- [4.2 ActiveX control blocking](#internet-explorer-activex-control-blocking)
- [5. Internet Explorer](#bkmk-ie)
- [5. Mail synchronization](#mail-synchronization)
- [5.1 Internet Explorer Group Policies](#bkmk-ie-gp)
- [6. Microsoft Edge](#microsoft-edge)
- [5.2 ActiveX control blocking](#bkmk-ie-activex)
- [6.1 Microsoft Edge Group Policies](#microsoft-edge-group-policies)
- [6. Mail synchronization](#bkmk-mailsync)
- [6.2 Microsoft Edge MDM policies](#microsoft-edge-mdm-policies)
- [7. Microsoft Edge](#bkmk-edge)
- [6.3 Microsoft Edge Windows Provisioning](#microsoft-edge-windows-provisioning)
- [7.1 Microsoft Edge Group Policies](#bkmk-edgegp)
- [7. Network Connection Status Indicator](#network-connection-status-indicator)
- [7.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
- [8. Offline maps](#offline-maps)
- [7.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
- [9. OneDrive](#onedrive)
- [8. Network Connection Status Indicator](#bkmk-ncsi)
- [10. Preinstalled apps](#preinstalled-apps)
- [9. Offline maps](#bkmk-offlinemaps)
- [11. Settings &gt; Privacy](#settings--privacy)
- [10. OneDrive](#bkmk-onedrive)
- [11.1 General](#general)
- [11. Preinstalled apps](#bkmk-preinstalledapps)
- [11.2 Location](#location)
- [12. Settings &gt; Privacy](#bkmk-settingssection)
- [11.3 Camera](#camera)
- [12.1 General](#bkmk-general)
- [11.4 Microphone](#microphone)
- [12.2 Location](#bkmk-priv-location)
- [11.5 Speech, inking, & typing](#speech-inking--typing)
- [12.3 Camera](#bkmk-priv-camera)
- [11.6 Account info](#account-info)
- [12.4 Microphone](#bkmk-priv-microphone)
- [11.7 Contacts](#contacts)
- [12.5 Speech, inking, & typing](#bkmk-priv-speech)
- [11.8 Calendar](#calendar)
- [12.6 Account info](#bkmk-priv-accounts)
- [11.9 Call history](#settings-call-history)
- [12.7 Contacts](#bkmk-priv-contacts)
- [11.10 Email](#settings-email)
- [12.8 Calendar](#bkmk-priv-calendar)
- [11.11 Messaging](#settings-messaging)
- [12.9 Call history](#bkmk-priv-callhistory)
- [11.12 Radios](#settings-radios)
- [12.10 Email](#bkmk-priv-email)
- [11.13 Other devices](#settings-other-devices)
- [12.11 Messaging](#bkmk-priv-messaging)
- [11.14 Feedback & diagnostics](#settings-feedback)
- [12.12 Radios](#bkmk-priv-radios)
- [11.15 Background apps](#settings-background-apps)
- [12.13 Other devices](#bkmk-priv-other-devices)
- [12. Software Protection Platform](#software-protection-platform)
- [12.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [13. Sync your settings](#sync-your-settings)
- [12.15 Background apps](#bkmk-priv-background)
- [14. Teredo](#teredo)
- [13. Software Protection Platform](#bkmk-spp)
- [15. Wi-Fi Sense](#wi-fi-sense)
- [14. Sync your settings](#bkmk-syncsettings)
- [16. Windows Defender](#windows-defender)
- [15. Teredo](#bkmk-teredo)
- [17. Windows Media Player](#windows-media-player)
- [16. Wi-Fi Sense](#bkmk-wifisense)
- [18. Windows spotlight](#windows-spotlight)
- [17. Windows Defender](#bkmk-defender)
- [19. Windows Store](#windows-store)
- [18. Windows Media Player](#bkmk-wmp)
- [20. Windows Update Delivery Optimization](#windows-update-delivery-optimization)
- [19. Windows spotlight](#bkmk-spotlight)
- [20.1 Settings &gt; Update & security](#settings--update-security)
- [20. Windows Store](#bkmk-windowsstore)
- [20.2 Delivery Optimization Group Policies](#delivery-optimization-group-policies)
- [21. Windows Update Delivery Optimization](#bkmk-updates)
- [20.3 Delivery Optimization MDM policies](#delivery-optimization-mdm-policies)
- [21.1 Settings &gt; Update & security](#bkmk-wudo-ui)
- [20.4 Delivery Optimization Windows Provisioning](#delivery-optimization-windows-provisioning)
- [21.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
- [21. Windows Update](#windows-update)
- [21.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
See the following table for a summary of the settings. For more info, see its corresponding section.
- [21.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
![](images/settings-table.png)
- [22. Windows Update](#bkmk-wu)
- [Manage your telemetry settings](#bkmk-utc)
- [How telemetry works](#bkmk-moreutc)
## What's new in Windows 10, version 1511
@ -183,12 +188,66 @@ Here's a list of changes that were made to this article for Windows 10, version
- Changed the Windows Update section to apply system-wide settings, and not just per user.
## <a href="" id="cortana"></a>1. Cortana
## <a href="" id="bkmk-othersettings"></a>Info management settings
This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
- [1. Cortana](#bkmk-cortana)
- [2. Date & Time](#bkmk-datetime)
- [3. Device metadata retrieval](#bkmk-devinst)
- [4. Insider Preview builds](#bkmk-previewbuilds)
- [5. Internet Explorer](#bkmk-ie)
- [6. Mail synchronization](#bkmk-mailsync)
- [7. Microsoft Edge](#bkmk-edge)
- [8. Network Connection Status Indicator](#bkmk-ncsi)
- [9. Offline maps](#bkmk-offlinemaps)
- [10. OneDrive](#bkmk-onedrive)
- [11. Preinstalled apps](#bkmk-preinstalledapps)
- [12. Settings &gt; Privacy](#bkmk-settingssection)
- [13. Software Protection Platform](#bkmk-spp)
- [14. Sync your settings](#bkmk-syncsettings)
- [15. Teredo](#bkmk-teredo)
- [16. Wi-Fi Sense](#bkmk-wifisense)
- [17. Windows Defender](#bkmk-defender)
- [18. Windows Media Player](#bkmk-wmp)
- [19. Windows spotlight](#bkmk-spotlight)
- [20. Windows Store](#bkmk-windowsstore)
- [21. Windows Update](#bkmk-wu)
- [22. Windows Update Delivery Optimization](#bkmk-updates)
See the following table for a summary of the management settings. For more info, see its corresponding section.
![](images/settings-table.png)
### <a href="" id="bkmk-cortana"></a>1. Cortana
Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ]( http://go.microsoft.com/fwlink/p/?LinkId=730683).
### <a href="" id="cortana-group-policies"></a>1.1 Cortana Group Policies
### <a href="" id="bkmk-cortana-gp"></a>1.1 Cortana Group Policies
Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**.
@ -264,7 +323,7 @@ If your organization tests network traffic, you should not use Fiddler to test W
 
### <a href="" id="cortana-mdm-policies"></a>1.2 Cortana MDM policies
### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -295,17 +354,25 @@ The following Cortana MDM policies are available in the [Policy CSP](http://msdn
 
### <a href="" id="cortana-windows-provisioning"></a>1.3 Cortana Windows Provisioning
### <a href="" id="bkmk-cortana-prov"></a>1.3 Cortana Windows Provisioning
To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies** to find **Experience** &gt; **AllowCortana** and **Search** &gt; **AllowSearchToUseLocation**.
## <a href="" id="device-metadata-retrieval"></a>2. Device metadata retrieval
### <a href="" id="bkmk-datetime"></a>2. Date & Time
You can prevent Windows from setting the time automatically.
- To turn off the feature in the UI: **Settings** &gt; **Time & language** &gt; **Date & time** &gt; **Set time automatically**
-or-
- Create a REG\_DWORD registry setting called **NoSync** in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters**, with a value of 1.
### <a href="" id="bkmk-devinst"></a>3. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
## <a href="" id="insider-preview-builds"></a>3. Insider Preview builds
### <a href="" id="bkmk-previewbuilds"></a>4. Insider Preview builds
To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
@ -335,12 +402,11 @@ To turn off Insider Preview builds if you're running a released version of Windo
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
## <a href="" id="internet-explorer"></a>4. Internet Explorer
### <a href="" id="bkmk-ie"></a>5. Internet Explorer
Use Group Policy to manage settings for Internet Explorer.
### <a href="" id="internet-explorer-group-policies"></a>4.1 Internet Explorer Group Policies
### <a href="" id="bkmk-ie-gp"></a>5.1 Internet Explorer Group Policies
Find the Internet Explorer Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Internet Explorer**.
@ -388,14 +454,13 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**
 
### <a href="" id="internet-explorer-activex-control-blocking"></a>4.2 ActiveX control blocking
### <a href="" id="bkmk-ie-activex"></a>5.2 ActiveX control blocking
ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
## <a href="" id="mail-synchronization"></a>5. Mail synchronization
### <a href="" id="bkmk-mailsync"></a>6. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@ -413,12 +478,11 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
## <a href="" id="microsoft-edge"></a>6. Microsoft Edge
### <a href="" id="bkmk-edge"></a>7. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
### <a href="" id="microsoft-edge-group-policies"></a>6.1 Microsoft Edge Group Policies
### <a href="" id="bkmk-edgegp"></a>7.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
@ -479,7 +543,7 @@ The Microsoft Edge Group Policy names were changed in Windows 10, version 1511.
 
### <a href="" id="microsoft-edge-mdm-policies"></a>6.2 Microsoft Edge MDM policies
### <a href="" id="bkmk-edge-mdm"></a>7.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -525,14 +589,13 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
 
### <a href="" id="microsoft-edge-windows-provisioning"></a>6.3 Microsoft Edge Windows Provisioning
### <a href="" id="bkmk-edge-prov"></a>7.3 Microsoft Edge Windows Provisioning
Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies**.
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
## <a href="" id="network-connection-status-indicator"></a>7. Network Connection Status Indicator
### <a href="" id="bkmk-ncsi"></a>8. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
@ -540,8 +603,7 @@ You can turn off NCSI through Group Policy:
- Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
## <a href="" id="offline-maps"></a>8. Offline maps
### <a href="" id="bkmk-offlinemaps"></a>9. Offline maps
You can turn off the ability to download and update offline maps.
@ -551,15 +613,13 @@ You can turn off the ability to download and update offline maps.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
## <a href="" id="onedrive"></a>9. OneDrive
### <a href="" id="bkmk-onedrive"></a>10. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
## <a href="" id="preinstalled-apps"></a>10. Preinstalled apps
### <a href="" id="bkmk-preinstalledapps"></a>11. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@ -671,12 +731,41 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
## <a href="" id="settings--privacy"></a>11. Settings &gt; Privacy
### <a href="" id="bkmk-settingssection"></a>12. Settings &gt; Privacy
Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
### <a href="" id="general"></a>11.1 General
- [12.1 General](#bkmk-general)
- [12.2 Location](#bkmk-priv-location)
- [12.3 Camera](#bkmk-priv-camera)
- [12.4 Microphone](#bkmk-priv-microphone)
- [12.5 Speech, inking, & typing](#bkmk-priv-speech)
- [12.6 Account info](#bkmk-priv-accounts)
- [12.7 Contacts](#bkmk-priv-contacts)
- [12.8 Calendar](#bkmk-priv-calendar)
- [12.9 Call history](#bkmk-priv-callhistory)
- [12.10 Email](#bkmk-priv-email)
- [12.11 Messaging](#bkmk-priv-messaging)
- [12.12 Radios](#bkmk-priv-radios)
- [12.13 Other devices](#bkmk-priv-other-devices)
- [12.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [12.15 Background apps](#bkmk-priv-background)
### <a href="" id="bkmk-priv-general"></a>12.1 General
**General** includes options that don't fall into other areas.
@ -748,7 +837,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang
- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
### <a href="" id="location"></a>11.2 Location
### <a href="" id="bkmk-priv-location"></a>12.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@ -801,7 +890,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
### <a href="" id="camera"></a>11.3 Camera
### <a href="" id="bkmk-priv-camera"></a>12.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@ -840,7 +929,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
### <a href="" id="microphone"></a>11.4 Microphone
### <a href="" id="bkmk-priv-microphone"></a>12.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@ -858,7 +947,7 @@ To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
### <a href="" id="speech-inking--typing"></a>11.5 Speech, inking, & typing
### <a href="" id="bkmk-priv-speech"></a>12.5 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
@ -883,7 +972,7 @@ To turn off the functionality:
Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
### <a href="" id="account-info"></a>11.6 Account info
### <a href="" id="bkmk-priv-accounts"></a>12.6 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@ -901,7 +990,7 @@ To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
### <a href="" id="contacts"></a>11.7 Contacts
### <a href="" id="bkmk-priv-contacts"></a>12.7 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@ -915,7 +1004,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="calendar"></a>11.8 Calendar
### <a href="" id="bkmk-priv-calendar"></a>12.8 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@ -933,7 +1022,7 @@ To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
### <a href="" id="call-history"></a>11.9 Call history
### <a href="" id="bkmk-priv-callhistory"></a>12.9 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@ -947,7 +1036,7 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="email"></a>11.10 Email
### <a href="" id="bkmk-priv-email"></a>12.10 Email
In the **Email** area, you can choose which apps have can access and send email.
@ -961,7 +1050,7 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="messaging"></a>11.11 Messaging
### <a href="" id="bkmk-priv-messaging"></a>12.11 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@ -979,7 +1068,7 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
### <a href="" id="radios"></a>11.12 Radios
### <a href="" id="bkmk-priv-radios"></a>12.12 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@ -997,7 +1086,7 @@ To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
### <a href="" id="other-devices"></a>11.13 Other devices
### <a href="" id="bkmk-priv-other-devices"></a>12.13 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@ -1015,7 +1104,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="feedback--diagnostics"></a>11.14 Feedback & diagnostics
### <a href="" id="bkmk-priv-feedback"></a>12.14 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
@ -1061,6 +1150,8 @@ To change the level of diagnostic and usage data sent when you **Send your devic
 
-or-
- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
-or-
@ -1087,7 +1178,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the [Full](#bkmk-utc-full) level.
### <a href="" id="background-apps"></a>11.15 Background apps
### <a href="" id="bkmk-priv-background"></a>12.15 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
@ -1095,8 +1186,7 @@ To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
## <a href="" id="software-protection-platform"></a>12. Software Protection Platform
### <a href="" id="bkmk-spp"></a>13. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
@ -1104,8 +1194,7 @@ Enterprise customers can manage their Windows activation status with volume lice
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
## <a href="" id="sync-your-settings"></a>13. Sync your settings
### <a href="" id="bkmk-syncsettings"></a>14. Sync your settings
You can control if your settings are synchronized:
@ -1131,17 +1220,15 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
## <a href="" id="teredo"></a>14. Teredo
### <a href="" id="bkmk-teredo"></a>15. Teredo
You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
- From an elevated command prompt, run **netsh interface teredo set state disabled**
## <a href="" id="wi-fi-sense"></a>15. Wi-Fi Sense
### <a href="" id="bkmk-wifisense"></a>16. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the persons contacts have shared with them.
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
@ -1163,10 +1250,9 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed.](http://go.microsoft.com/fwlink/p/?LinkId=620910)
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but theyre non-functional and they cant be controlled by the employee.
## <a href="" id="windows-defender"></a>16. Windows Defender
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
### <a href="" id="bkmk-defender"></a>17. Windows Defender
You can opt of the Microsoft Antimalware Protection Service.
@ -1200,10 +1286,17 @@ You can stop sending file samples back to Microsoft.
- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
You can stop downloading definition updates:
- Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and-
- Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
## <a href="" id="windows-media-player"></a>17. Windows Media Player
### <a href="" id="bkmk-wmp"></a>18. Windows Media Player
To remove Windows Media Player:
@ -1213,8 +1306,7 @@ To remove Windows Media Player:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
## <a href="" id="windows-spotlight"></a>18. Windows spotlight
### <a href="" id="bkmk-spotlight"></a>19. Windows spotlight
Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
@ -1245,29 +1337,27 @@ Windows spotlight provides different background images and text on the lock scre
For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
## <a href="" id="windows-store"></a>19. Windows Store
### <a href="" id="bkmk-windowsstore"></a>20. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Windows Store**.
## <a href="" id="windows-update-delivery-optmization"></a>20. Windows Update Delivery Optimization
### <a href="" id="bkmk-updates"></a>21. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organizations PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
### <a href="" id="settings--update--security"></a>20.1 Settings &gt; Update & security
### <a href="" id="bkmk-wudo-ui"></a>21.1 Settings &gt; Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
### <a href="" id="delivery-optimization-group-policies"></a>20.2 Delivery Optimization Group Policies
### <a href="" id="bkmk-wudo-gp"></a>21.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**.
@ -1324,7 +1414,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
 
### <a href="" id="delivery-optimization-mdm-policies"></a>20.3 Delivery Optimization MDM policies
### <a href="" id="bkmk-wudo-mdm"></a>21.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -1381,7 +1471,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS
 
### <a href="" id="delivery-optimization-windows-provisioning"></a>20.4 Delivery Optimization Windows Provisioning
### <a href="" id="bkmk-wudo-prov"></a>21.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@ -1397,8 +1487,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
## <a href="" id="windows-update"></a>21. Windows Update
### <a href="" id="bkmk-wu"></a>22. Windows Update
You can turn off Windows Update by setting the following registry entries:
@ -1430,6 +1519,275 @@ You can turn off automatic updates by doing one of the following. This is not re
To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
## <a href="" id="bkmk-utc"></a>Manage your telemetry settings
You can manage your telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings.
You can set your organization’s devices to use 1 of 4 telemetry levels:
- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions)
- [Basic](#bkmk-utc-basic)
- [Enhanced](#bkmk-utc-enhanced)
- [Full](#bkmk-utc-full)
For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is [Enhanced](#bkmk-utc-enhanced).
**Important**  
These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies.
 
### Use Group Policy to set the telemetry level
Use a Group Policy object to set your organization’s telemetry level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the telemetry level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values:
- **0**. Maps to the [Security](#bkmk-utc-security) level.
- **1**. Maps to the [Basic](#bkmk-utc-basic) level.
- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
- **3**. Maps to the [Full](#bkmk-utc-full) level.
### Use Windows Provisioning to set the telemetry level
Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool – part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organization’s telemetry level.
After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD.
**To use Windows ICD to integrate your package into a custom image**
1. Open Windows ICD, and then click **New provisioning package**.
2. In the **Name** box, type a name for the provisioning package, and then click **Next**.
3. Click **Common to all Windows editions** &gt; **Next** &gt; **Finish**.
4. Go to **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowTelemetry** to configure the policies. You can set it to one of the following:
- **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level.
- **Basic**. Maps to the [Basic](#bkmk-utc-basic) level.
- **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level
- **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level.
5. After you've added all of your settings to the provisioning package, click **Export** &gt; **Provisioning package**.
6. On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** &gt; **Next**.
7. On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**.
8. On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**.
9. On the **Build the provisioning package** step, click **Build**.
### Use Registry Editor to set the telemetry level
Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry.
If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
2. Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**.
- **0**. This setting maps to the [Security](#bkmk-utc-security) level.
- **1**. This setting maps to the [Basic](#bkmk-utc-basic) level.
- **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level
- **3**. This setting maps to the [Full](#bkmk-utc-full) level.
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Additional telemetry controls
There are a few more settings that you can turn off that may send telemetry information:
- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
- Turn off Linguistic Data Collection in **Settings** &gt; **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article.
**Note**  
Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
## <a href="" id="bkmk-moreutc"></a>How telemetry works
Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization.
### <a href="" id="bkmk-telemetrylevels"></a>Telemetry levels
This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
- **Security**. Information that’s required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level.
- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.
- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.
As a diagram:
![](images/priv-telemetry-levels.png)
### <a href="" id="bkmk-utc-security"></a>Security level
The Security level gathers only telemetry info that’s required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
**Note**  
If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, Microsoft can’t tell whether an update successfully installed.
You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level.
 
Security level info includes:
- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
**Note**  
You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users.
 
- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender).
**Note**  
This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off.
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality.
 
No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article.
### <a href="" id="bkmk-utc-basic"></a>Basic level
The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version.
Basic level info includes:
- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as mobile operator network and IMEI number
- Processor and memory attributes, such as number of cores, speed, and firmware
- Operating system attributes, such as Windows edition and IsVirtualDevice
- Storage attributes, such as number of drives and memory size
- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems.
- **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS.
- **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### <a href="" id="bkmk-utc-enhanced"></a>Enhanced level
The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
Enhanced level info includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components.
- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang.
### <a href="" id="bkmk-utc-full"></a>Full level
The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels.
Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem.
However, before more info is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
- Ability to gather user content, such as documents, if they might have been the trigger for the issue.
### How is telemetry information handled by Microsoft?
### Collection
Information gathered by the Connected User Experience and Telemetry component complies with Microsoft’s security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info.
### Data Transfer
All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### Microsoft Data Management Service
The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that’s locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings.
### Usage
Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis.
An example of personalization is to create individually tailored in-product messages.
Microsoft doesn’t share organization-specific customer information with third parties, except at the customer’s direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals.
### Retention
Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.
 
 

2
windows/manage/distribute-apps-to-your-employees-from-the-windows-store-for-business.md → windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
View File

@ -42,7 +42,7 @@ Distribute apps to your employees from Windows Store for Business. You can assig
<td align="left"><p>Administrators can assign online-licensed apps to employees in their organization.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Distribute apps with a management tool](distribute-apps-with-a-management-tool.md)</p></td>
<td align="left"><p>[Distribute apps with a management tool](distribute-apps-with-management-tool.md)</p></td>
<td align="left"><p>You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.</p></td>
</tr>
<tr class="even">

4
windows/manage/distribute-apps-with-a-management-tool.md → windows/manage/distribute-apps-with-management-tool.md
View File

@ -20,7 +20,7 @@ You can configure a mobile device management (MDM) tool to synchronize your Stor
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Windows Store for Business.
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider.md).
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md).
Store for Business services provide:
@ -59,7 +59,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
## Related topics
[Configure MDM Provider](../manage/configure-mdm-provider.md)
[Configure MDM Provider](../manage/configure-mdm-provider-windows-store-for-business.md)
[Manage apps you purchased from the Windows Store for Business with Micosoft InTune](https://technet.microsoft.com/library/mt676514.aspx)

2
windows/manage/find-and-acquire-apps.md → windows/manage/find-and-acquire-apps-overview.md
View File

@ -34,7 +34,7 @@ Use the Windows Store for Business to find apps for your organization. You can a
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md)</p></td>
<td align="left"><p>[Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)</p></td>
<td align="left"><p>Store for Business has thousands of apps from many different categories.</p></td>
</tr>
<tr class="even">

24
windows/manage/how-it-pros-can-use-configuration-service-providers--csps--.md
View File

@ -28,7 +28,7 @@ The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Wi
## What is a CSP?
A CSP is an interface in the operating system between configuration settings specified in a provisioning document and configuration settings on the device. Some of these settings are configurable and some are read-only.
A CSP is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. Their function is similar to that of Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files or permissions. Some of these settings are configurable and some are read-only.
Starting in Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. In the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
@ -38,6 +38,18 @@ CSPs are behind many of the management tasks and policies for Windows 10 in Mic
![how intune maps to csp](images/policytocsp.png)
CSPs receive configuration policies in the XML-based SyncML format pushed to it from an MDM-compliant management server such as Microsoft Intune. Traditional enterprise management systems, such as System Center Configuration Manager, can also target CSPs by using a client-side WMI-to-CSP bridge.
### Synchronization Markup Language (SyncML)
The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based Synchronization Markup Language (SyncML) for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
### The WMI-to-CSP Bridge
The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs via scripts and traditional enterprise management software such as Configuration Manager using Windows Management Instrumentation (WMI). The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
[Learn how to use the WMI Bridge Provider with PowerShell.](http://go.microsoft.com/fwlink/p/?LinkId=761090)
## Why should you learn about CSPs?
@ -45,7 +57,7 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md) which links to the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)) which links to the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
### CSPs in Windows Imaging and Configuration Designer (ICD)
@ -76,11 +88,15 @@ The [main CSP topic](http://go.microsoft.com/fwlink/p/?LinkId=717390) tells you
![csp per windows edition](images/csptable.png)
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. The following example shows the diagram for the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes and rectangular elements are settings or policies for which a value must be supplied.
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path.
The following example shows the diagram for the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes and rectangular elements are settings or policies for which a value must be supplied.
![assigned access csp tree](images/provisioning-csp-assignedaccess.png)
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following path, you can see it uses the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608).
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see it uses the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608).
```XML
./Vendor/MSFT/AssignedAccess/KioskModeApp

BIN
windows/manage/images/settings-table.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 17 KiB

6
windows/manage/index.md
View File

@ -38,7 +38,7 @@ Learn about managing and updating Windows 10.
<td align="left"><p>Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)</p></td>
<td align="left"><p>[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md))</p></td>
<td align="left"><p>The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.</p></td>
</tr>
<tr class="even">
@ -66,6 +66,10 @@ Learn about managing and updating Windows 10.
<td align="left"><p>This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Application development for Windows as a service](application-development-for-windows-as-a-service.md)</p></td>
<td align="left"><p>In todays environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Windows Store for Business](windows-store-for-business.md)</p></td>
<td align="left"><p>Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.</p></td>
</tr>

130
windows/manage/introduction-to-windows-10-servicing.md
View File

@ -286,91 +286,51 @@ Windows 10 Enterprise LTSB does include Internet Explorer 11, and is compatible
Table 2. Servicing option summary
<table>
<tr>
<th rowspan="2">Comparison</th>
<th colspan="3">Windows 10 servicing options</th>
</tr>
<tr>
<th>Current Branch (CB)</th>
<th>Current Branch for Business (CBB)</th>
<th>Long-Term Servicing Branch (LTSB)</th>
</tr>
<tr>
<td><b>Availability of new feature upgrades for installation</b></td>
<td>Immediate</td>
<td>Deferred by ~4 months</td>
<td>Not applicable</td>
</tr>
<tr>
<td><b>Supported editions</b></td>
<td>Windows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, Windows 10 Mobile,
IoT Core, IoT Core Pro</td>
<td>Windows 10 Pro,
Windows 10 Education,
Windows 10 Enterprise, Windows 10 Mobile Enterprise,
IoT Core Pro</td>
<td>Windows 10 Enterprise LTSB</td>
</tr>
<tr>
<td><b>Minimum length of servicing lifetime</b></td>
<td>Approximately 4 Months</td>
<td>Approximately 8 months</td>
<td>10 years</td>
</tr>
<tr>
<td><b>Ongoing installation of new feature upgrades required to receive servicing updates</b></td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td><b>Supports Windows Update for release deployment</b></td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td><b>Supports Windows Server Update Services for release deployment</b></td>
<td>Yes
(excludes Home)
</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td><b>Supports Configuration Manager/configuration management systems for release deployment</b></td>
<td>Yes
(excludes Home)
</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td><b>First party browsers included</b></td>
<td>Microsoft Edge,
Internet Explorer 11</td>
<td>Microsoft Edge,
IE11</td>
<td>IE11</td>
</tr>
<tr>
<td><b>Notable Windows
system apps removed
</b></td>
<td>None</td>
<td>None</td>
<td>Microsoft Edge, Windows Store Client, Cortana (limited search available)</td>
</tr>
<tr>
<td><b>Notable Windows
universal apps removed
</b></td>
<td>None</td>
<td>None</td>
<td>Outlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock</td>
</tr>
</table>
Comparison
Windows 10 servicing options
Current Branch (CB)
Current Branch for Business (CBB)
Long-Term Servicing Branch (LTSB)
**Availability of new feature upgrades for installation**
Immediate
Deferred by ~4 months
Not applicable
**Supported editions**
Windows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, Windows 10 Mobile, IoT Core, IoT Core Pro
Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, Windows 10 Mobile Enterprise, IoT Core Pro
Windows 10 Enterprise LTSB
**Minimum length of servicing lifetime**
Approximately 4 Months
Approximately 8 months
10 years
**Ongoing installation of new feature upgrades required to receive servicing updates**
Yes
Yes
No
**Supports Windows Update for release deployment**
Yes
Yes
Yes
**Supports Windows Server Update Services for release deployment**
Yes (excludes Home)
Yes
Yes
**Supports Configuration Manager/configuration management systems for release deployment**
Yes (excludes Home)
Yes
Yes
**First party browsers included**
Microsoft Edge, Internet Explorer 11
Microsoft Edge, IE11
IE11
**Notable Windows system apps removed**
None
None
Microsoft Edge, Windows Store Client, Cortana (limited search available)
**Notable Windows universal apps removed**
None
None
Outlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock
 
## Related topics

2
windows/manage/join-windows-10-mobile-to-azure-active-directory.md
View File

@ -77,7 +77,7 @@ An added work account provides the same SSO experience in browser apps like Offi
- **Mobile device management**
An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or Enterprise Mobility Suite (EMS) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](http://go.microsoft.com/fwlink/p/?LinkID=691615)
An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](http://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](http://go.microsoft.com/fwlink/p/?LinkID=691615)
- **Microsoft Passport**

2
windows/manage/lock-down-windows-10-to-specific-apps.md
View File

@ -18,7 +18,7 @@ author: jdeckerMS
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview-server.md). AppLocker rules specify which apps are allowed to run on the device.
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview.md). AppLocker rules specify which apps are allowed to run on the device.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](../keep-secure/how-applocker-works-techref.md).

17
windows/manage/lock-down-windows-10.md
View File

@ -43,28 +43,23 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
<td align="left"><p>Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure telemetry in your organization](configure-telemetry-in-your-organization.md)</p></td>
<td align="left"><p>Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.</p></td>
<td align="left"><p>[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)</p></td>
<td align="left"><p>Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Disconnect from Microsoft and configure privacy settings in your organization](disconnect-your-organization-from-microsoft.md)</p></td>
<td align="left"><p>If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.</p>
<p>If youre looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)</p></td>
<td align="left"><p>IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)</p></td>
<tr class="odd">
<td align="left"><p>[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md))</p></td>
<td align="left"><p>Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.</p>
<p>The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)</p></td>
<td align="left"><p>Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)</p></td>
<td align="left"><p>There are two methods for resetting a Windows 10 Mobile device: factory reset and &quot;wipe and persist&quot; reset.</p></td>
</tr>

4
windows/manage/manage-apps.md → windows/manage/manage-apps-windows-store-for-business-overview.md
View File

@ -38,7 +38,7 @@ Manage settings and access to apps in Windows Store for Business.
<td align="left"><p>You can manage access to your private store in Store for Business.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[App inventory managemement for Windows Store for Business](app-inventory-managemement-for-windows-store-for-business.md)</p></td>
<td align="left"><p>[App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)</p></td>
<td align="left"><p>You can manage all apps that you've acquired on your <strong>Inventory</strong> page.</p></td>
</tr>
<tr class="odd">
@ -46,7 +46,7 @@ Manage settings and access to apps in Windows Store for Business.
<td align="left"><p>The private store is a feature in the Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Configure MDM provider](configure-mdm-provider.md)</p></td>
<td align="left"><p>[Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)</p></td>
<td align="left"><p>For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.</p></td>
</tr>
</tbody>

0
windows/manage/manage-cortana-in-your-enterprise.md → windows/manage/manage-cortana-in-enterprise.md
View File

6
windows/manage/manage-settings-in-the-windows-store-for-business.md → windows/manage/manage-settings-windows-store-for-business.md
View File

@ -34,12 +34,12 @@ You can add users and groups, as well as update some of the settings associated
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings-.md)</p></td>
<td align="left"><p>[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md))</p></td>
<td align="left"><p>The <strong>Account information</strong> page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage user accounts in Windows Store for Business](manage-users-and-groups-in-the-windows-store-for-business.md)</p></td>
<td align="left"><p>Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-in-the-windows-store-for-business.md), but not to groups.</p></td>
<td align="left"><p>[Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md))</p></td>
<td align="left"><p>Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups.</p></td>
</tr>
</tbody>
</table>

4
windows/manage/manage-users-and-groups-in-the-windows-store-for-business.md → windows/manage/manage-users-and-groups-windows-store-for-business.md
View File

@ -16,7 +16,7 @@ author: jdeckerMS
- Windows 10
- Windows 10 Mobile
Windows Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-in-the-windows-store-for-business.md), but not to groups.
Windows Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups.
## Why Azure AD accounts?
@ -36,7 +36,7 @@ For more information on Azure AD, see [About Office 365 and Azure Active Directo
## Add user accounts to your Azure AD directory
If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-in-the-windows-store-for-business.md)
If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-windows-store-for-business.md)
You can use the [Office 365 admin dashboard](http://go.microsoft.com/fwlink/p/?LinkId=708616) or [Azure management portal](http://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](http://go.microsoft.com/fwlink/p/?LinkId=708617).

0
windows/manage/manage-wi-fi-sense-in-your-company.md → windows/manage/manage-wifi-sense-in-enterprise.md
View File

0
windows/manage/prerequisites-for-windows-store-for-business.md → windows/manage/prerequisites-windows-store-for-business.md
View File

2
windows/manage/roles-and-permissions-in-the-windows-store-for-business.md → windows/manage/roles-and-permissions-windows-store-for-business.md
View File

@ -211,7 +211,7 @@ These permissions allow people to:
4.
If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-in-the-windows-store-for-business.md)
If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md))
 

4
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -44,6 +44,10 @@ For a more secure kiosk experience, we recommend that you make the following con
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Remove the power button from the sign-in screen.
Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.

6
windows/manage/settings-reference--windows-store-for-business.md → windows/manage/settings-reference-windows-store-for-business.md
View File

@ -21,12 +21,12 @@ The Windows Store for Business has a group of settings that admins use to manage
| | |
|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Setting | Description |
| Account information | Provides info on these configured settings for your Store for Business account . These settings include: country or region, default domain, organization name, and language preference. You can make updates to these settings with Office 365 or Azure management portals. For more information, see [Manage settings for the Windows Store for Business](manage-settings-in-the-windows-store-for-business.md). |
| Account information | Provides info on these configured settings for your Store for Business account . These settings include: country or region, default domain, organization name, and language preference. You can make updates to these settings with Office 365 or Azure management portals. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md). |
| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). |
| LOB publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). |
| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider.md). |
| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). |
| Offline licensing | Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps.md). |
| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-in-the-windows-store-for-business.md). |
| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md). |
| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). |
 

8
windows/manage/sign-up-and-get-started.md → windows/manage/sign-up-windows-store-for-business-overview.md
View File

@ -34,19 +34,19 @@ IT admins can sign up for the Windows Store for Business, and get started workin
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Prerequisites for Windows Store for Business](prerequisites-for-windows-store-for-business.md)</p></td>
<td align="left"><p>[Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)</p></td>
<td align="left"><p>There are a few prerequisites for using Store for Business.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Sign up for Windows Store for Business](sign-up-for-windows-store-for-business.md)</p></td>
<td align="left"><p>[Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)</p></td>
<td align="left"><p>Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Roles and permissions in the Windows Store for Business](roles-and-permissions-in-the-windows-store-for-business.md)</p></td>
<td align="left"><p>[Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)</p></td>
<td align="left"><p>The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Settings reference: Windows Store for Business](settings-reference--windows-store-for-business.md)</p></td>
<td align="left"><p>[Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)</p></td>
<td align="left"><p>The Store for Business has a group of settings that admins use to manage the store.</p></td>
</tr>
</tbody>

4
windows/manage/sign-up-for-windows-store-for-business.md → windows/manage/sign-up-windows-store-for-business.md
View File

@ -85,9 +85,9 @@ Before signing up for the Store for Business, make sure you're the global admini
After signing up for Store for Business, you can:
- **Add users to your Azure AD directory**. If you created your Azure AD directory during Store for Business sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store. For more information, see [Manage user accounts in Store for Business](manage-users-and-groups-in-the-windows-store-for-business.md).
- **Add users to your Azure AD directory**. If you created your Azure AD directory during Store for Business sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store. For more information, see [Manage user accounts in Store for Business](manage-users-and-groups-windows-store-for-business.md)).
- **Assign roles to employees**. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-in-the-windows-store-for-business.md).
- **Assign roles to employees**. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md).
 

2
windows/manage/stop-employees-from-using-the-windows-store.md
View File

@ -82,7 +82,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS
- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
For more information, see [Configure an MDM provider](configure-mdm-provider.md).
For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
## Related topics

0
windows/manage/troubleshoot.md → windows/manage/troubleshoot-windows-store-for-business.md
View File

0
windows/manage/update-windows-store-for-business-account-settings-.md → windows/manage/update-windows-store-for-business-account-settings.md
View File

12
windows/manage/windows-store-for-business.md
View File

@ -34,19 +34,19 @@ Welcome to the Windows Store for Business! You can use the Store for Business, t
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Sign up and get started](sign-up-and-get-started.md)</p></td>
<td align="left"><p>[Sign up and get started](sign-up-windows-store-for-business-overview.md)</p></td>
<td align="left"><p>IT admins can sign up for the Store for Business, and get started working with apps.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Find and acquire apps](find-and-acquire-apps.md)</p></td>
<td align="left"><p>[Find and acquire apps](find-and-acquire-apps-overview.md)</p></td>
<td align="left"><p>Use the Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-from-the-windows-store-for-business.md)</p></td>
<td align="left"><p>[Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)</p></td>
<td align="left"><p>Distribute apps to your employees from Store for Business. You can assign apps to employees, or let employees install them from your private store.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage apps](manage-apps.md)</p></td>
<td align="left"><p>[Manage apps](manage-apps-windows-store-for-business-overview.md)</p></td>
<td align="left"><p>Manage settings and access to apps in Store for Business.</p></td>
</tr>
<tr class="odd">
@ -54,11 +54,11 @@ Welcome to the Windows Store for Business! You can use the Store for Business, t
<td align="left"><p>Device Guard signing is a Device Guard feature that is available in the Store for Business. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage settings in the Windows Store for Business](manage-settings-in-the-windows-store-for-business.md)</p></td>
<td align="left"><p>[Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)</p></td>
<td align="left"><p>You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Troubleshoot Windows Store for Business](troubleshoot.md)</p></td>
<td align="left"><p>[Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md))</p></td>
<td align="left"><p>Troubleshooting topics for Store for Business.</p></td>
</tr>
</tbody>

2
windows/manage/working-with-line-of-business-apps.md
View File

@ -91,7 +91,7 @@ After an ISV submits the LOB app for your company, the Store for Businessadmin n
After you add the app to your inventory, you can choose how to distribute the app. For more information, see:
- [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-from-the-windows-store-for-business.md)
- [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
- [Distribute apps from your private store](distribute-apps-from-your-private-store.md)